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FIG. 6 - is a detailed block diagram illustrating remote authentication (Alternate 
inventive embodiment) 

Detailed Descrjottop of Preferred Embodiment 

The steps Involved in performing authentication through a communications pipe 
are shown In Figures 1 through 8. Figure 1 is a generated system block diagram. 
Figures 2 through 5 illustrate one embodiment of the invention where responses to 
authentication challenges are generated within the secure domain of a Personal Security 
Device. Figures 6 through 8 Illustrate a second embodiment of the invention where a 
remote computer system established as a secure hub provides the proper response to 
authentication challenges, rather than directing challenges through the communications 
pipe into the PSD for processing. Characters shown with a prime sign (e.g. C) Indicate a 
duplicate of an original authentication credential. Other drawing details shown but not 
described in this application refer to Information described in cross-referenced patent 
aoolication?/^ t^-1^Method and System for Establishing a Remote Connection to a 
Personal Security Device." 

Referring now to FIG. 1, a generalized system block diagram of the Invention 
where Client 10 and a connected Personal Security Device 40 is connected over a 
network 45 with a remote computer system 50 using a communications pipe 75 as 



system 50, Is operating as a secure hub following initial authentication as described 
below, to service authentication requests made by other remote computer systems sent 
over a network 45 or 4SA. 



authentication when a request for secure functions or data is sent from client computer 10 
over the networks 45 and 45A. The communications pipe 75 applies to authentication 
transactions but does not restrict nor control non-secure transactions occurring over 
either network 45 or 45A. 

Networks 45 and 45A may be a common network as in a virtual private 
networking arrangement or separate networks such as private Intranet and public internet 
arrangements. The networks 45 and 45A are depleted separately for illustrative purposes 
only. No limitation Is intended In the number of PSDs and clients forming 
communications pipes 75 with one or more secure hubs 50; nor should any limitation on 
the number of remote computer systems 70 available for authentication be construed 
from the drawing. Transactions not involving authentications are not restricted to the 
secure hub. 



described In co-pending patent 




remote computer 



The remote computer system 150 is an example of a system requiring 
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referenced patent app!iwlion/3^£^^L-1 ( "Method and System for Establishing a 
Remote Connection To a Personal Security Device." An additional limitation of this 
method becomes apparent when attempting to perform multiple authenticating 
transactions using a single PSD over a network connection. The PSD, beings a slow 
5 serial device, only allows one transaction to occur at a time, tn addition, network 
contention and processor execution speed issues become particularly problematic when 
low bandwidth connections (e.g. dialup connections) are made between a client and a 
remote computer system during authentication with the PSD. 

Summary of Invention 

10 This Invention resides in a method of authenticating an end user to one or more 

remote computer systems using a communications pipe to send authentication codes 
from a PSD .to one or more secure remote computer systems. The remote computer 
system establishing and maintaining the communications pipe with the PSD performs an 
initial authentication, then acts as a secure hub and client authentication proxy for other 
JJ is remote computer systems requesting client authentication. In a multi-tasking operating 

£p c> environment, multiple authentications occur as background transactions, which ere 

8 ? transparent to the end user. The remote computer system acting as a secure hub may 

«K - \fir form multiple communications pipes with other clients connected to a network. 

•P. ' In order to perform authentications, a communications pipe Is established 

.g 20 between a remote computer system^arjd, a PSD as previously described In cross- 

s referenced patent application. . 'Method and System for Establishing 

'3; a Remote Connection To a Personal Security Device. 1 * A remote computer system 

£jj requiring client authentication sends an authentication challenge to either the client and 

Q: is redirected to the remote computer system acting as a secure hub or using a pre- 

f 3 : 25 established address, sends an authentication challenge directly to the remote computer 

system maintaining the communications pipe. 

In a one embodiment of this invention, the remote computer system assigned as a 
secure hub performs the initial client authentication then routes subsequent 
authentication challenges "through the communications pipe to the PSD for. processing 
JO within the secure domain of the PSD, then returns the PSD generated authentication 
code back through the communications pipe over a network and to the challenging 
remote computer system. 

In a second embodiment of this invention, the remote computer system 
established as a secure hub performs (he initial client authentication then copies, if not 
35 already present, the PSD's authentication credentials through the communications pipe to 
a secure storage location within the secure hub. The secure hub using the transferred 
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PSD credentials and equivalent algorithms authenticates the client to subsequent remote 
computer systems by emulating the PSD. 

In both embodiments of this invention, communications between local clients and 
remote computers systems over one or more networks should employ secure Q^ylp 
communications protocols as is described in the cross-referenced patent application, QT^M^g-- 
OCl-1, which further reduces the likelihood of unauthorized access or Interception. For 
non-proprietary transactions with the PSD. secure communications are optional. 

There are several advantages to this Invention when used In conjunction with the 
communications pipe. First and most Importantly, authentication transections are only 
performed In highly secure and protected domains, which greatly reduces the chances of 
unauthorized access or interception. Secondly, authentication transactions will occur 
more rapidly and seamlessly, since remote computer systems are generally provided with 
greater network bandwidth and processing power than local clients. 

Lastly, by relocating the authentication process to a remote computer system, a 
more simplified means to perform end-to-end authentication and maintain an audit trail of 
transactions by authenticated end users and transactions with other remote computer 
systems is readily accomplished since all authentication transactions are routed through 
a remote computer system designated as a secure hub. 

Additional security Improvements may be facilitated by Incorporating the use of 
hardware security modules (HSM) at designated remote computer systems implementing 
the secure hub portion of the invention. End-to-end security is enhanced since 
authentications and related transactions occur within the highly secure domains of a PSO 
and HSM. 

Brief Descri ption of Prawlnos 

FIG. 1 - Is a general system block diagram for Implementing present invention. 

FIG. 2 • is a detailed block diagram illustrating initial authentication challenge. 

FIG. 3 - is a detailed block diagram illustrating initial authentication. 

FIG. 4 - is a detailed block diagram illustrating remote authentication challenge. 

FIG. 5 - is a detailed block diagram illustrating remote authentication. 

FIG. 6 - is a detailed block diagram illustrating authentication credential transfer. 

FIG. 7 • is a detailed block diagram illustrating remote authentication challenge 
(Alternate inventive embodiment ) 



